Understanding and Leveraging the CSF

The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

The HITRUST CSF:

Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA and State laws

Scales controls according to type, size and complexity of an organization

HITRUST also offers a risk assessment tool called MyCSF, to help in the implementation of the framework. MyCSF is a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.

*A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.

HITRUST CSF v9.1 Updates

HITRUST has increased its level of support for global organizational privacy programs in an interim v9.1 release of the HITRUST CSF by incorporating the European Union (EU) Regulation 2016/679, General Data Protection Regulation (GDPR), and mapping the HITRUST CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy.

These changes will increase applicability of the HITRUST CSF for privacy programs across multiple industries, both nationally and internationally.